# Lambda Execution Role
resource "aws_iam_role_policy_attachment" "lambda_execution_role_policy_attachement_1" {
  role       = data.aws_ssm_parameter.lambda_role_name.value
  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
}
resource "aws_iam_policy" "lambda_execution_role_policy" {
  name        = "${local.name_prefix}-lambda-execution-role-policy"
  description = "A custom policy for Lambda to access ECR backend repository"
  policy      = data.aws_iam_policy_document.lambda_execution_role_policy.json
  tags        = merge(local.required_tags, var.tags)
}
resource "aws_iam_role_policy_attachment" "lambda_role_policy_attachement_2" {
  role       = data.aws_ssm_parameter.lambda_role_name.value
  policy_arn = aws_iam_policy.lambda_execution_role_policy.arn
}

# Api Gateway Execution Role
resource "aws_iam_role" "api_gateway_execution_role" {
  name               = "${local.name_prefix}-api-gateway-execution-role"
  assume_role_policy = data.aws_iam_policy_document.api_gateway_execution_assume_role_policy.json
  tags               = merge(local.required_tags)
}
resource "aws_iam_policy" "api_gateway_execution_role_policy" {
  name        = "${local.name_prefix}-api_gateway_execution-role-policy"
  description = "A custom policy for Api Gateway executions"
  policy      = data.aws_iam_policy_document.api_gateway_execution_role_policy.json
  tags        = merge(local.required_tags, var.tags)
}
resource "aws_iam_role_policy_attachment" "api_gateway_execution_role_policy_attachement_1" {
  role       = aws_iam_role.api_gateway_execution_role.name
  policy_arn = aws_iam_policy.api_gateway_execution_role_policy.arn
}

# Api Gateway Cloudwatch Role
resource "aws_iam_role" "api_gateway_cloudwatch_role" {
  name               = "${local.name_prefix}-api-gateway-cloudwatch-role"
  assume_role_policy = <<EOF
    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "",
                "Effect": "Allow",
                "Principal": {
                    "Service": "apigateway.amazonaws.com"
                },
                "Action": "sts:AssumeRole"
            }
        ]
    }
    EOF
  tags               = merge(local.required_tags)
}
resource "aws_iam_role_policy" "api_gateway_cloudwatch_role_policy" {
  name   = "${local.name_prefix}-cloudwatch-policy"
  role   = aws_iam_role.api_gateway_cloudwatch_role.id
  policy = data.aws_iam_policy_document.cloudwatch.json
}

# Frontend ECS role policy
resource "aws_iam_policy" "frontend_ecs_task_role_policy" {
  name        = "${local.name_prefix}-frontend_ecs_task_role-policy"
  description = "A custom policy ecs_task_role_frontend"
  policy      = data.aws_iam_policy_document.frontend_ecs_task_role_policy.json
  tags        = merge(local.required_tags, var.tags)
}
resource "aws_iam_role_policy_attachment" "frontend_ecs_task_role_policy_attachement_1" {
  role       = data.aws_ssm_parameter.ecs_task_role_frontend_name.value
  policy_arn = aws_iam_policy.frontend_ecs_task_role_policy.arn
}

# Adding rights to devops roles 
# resource "aws_iam_policy" "sagemaker_for_devops_roles_policy" {
#   name        = "${local.name_prefix}-sagemaker-for-devops-roles-policy"
#   description = "A custom sagemaker_for_devops_roles_policy"
#   policy      = data.aws_iam_policy_document.sagemaker_for_devops_roles_document.json
#   tags        = merge(local.required_tags, var.tags)
# }
# resource "aws_iam_role_policy_attachment" "sagemaker_for_devops_roles_policy_attach_1" {
#   for_each   = toset(data.aws_iam_roles.devops_roles.names)
#   role       = each.value
#   policy_arn = aws_iam_policy.sagemaker_for_devops_roles_policy.arn
# }